coreos-installer: add information about CVE-2021-20319

crates/coreos-installer/RUSTSEC-0000-0000.md

@@ -0,0 +1,50 @@
+```toml
+[advisory]
+id = "RUSTSEC-0000-0000"
+package = "coreos-installer"
+date = "2022-03-04"
+url = "https://bugzilla.redhat.com/show_bug.cgi?id=2011862"
+references = ["https://nvd.nist.gov/vuln/detail/CVE-2021-20319"]
+categories = ["privilege-escalation"]
+cvss = "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+aliases = ["CVE-2021-20319", "GHSA-3r3g-g73x-g593"]
+
+[versions]
+patched = [">= 0.10.1"]
+```
+
+# Incorrect signature verification on gzip-compressed install images
+
+The coreos-installer is a program to fetch a disk image and
+stream it to a target disk.
+
+During the installation process the installation image gpg
+signatures are verified.
+
+The signature verification can be bypassed for gzip-compressed
+images due to a flaw in gzip coreos-installer wrapper.
+
+When the decoder encounters the gzip trailer, it signals EOF
+to its output and does not continue reading from its input.
+As a result, earlier wrappers don't notice that they've reached
+EOF.
+
+In particular, the GPG wrapper does not check the exit code of GPG.
+
+Thus, if an attacker can substitute an attacker-controlled
+gzipped disk image, installation will complete successfully
+without a valid signature.
+
+This vulnerability impacts only specific, User-Provisioned
+Infrastructure (UPI) installation methods where coreos-installer
+is used and where gzip-compressed images are configured as
+the installation source.
+
+The Installer-Provisioned Infrastructure (IPI) bare-metal
+installs do use coreos-installer, but this installation
+method uses an install image embedded in the live OS image
+(ISO or PXE image), therefore is not affected by this
+vulnerability.
+
+This vulnerability is specific to some upstream Fedora
+CoreOS installation flows.